Blog

The Equifax Credit Breach Timeline: What Happened?

Starting sometime in mid-May and continuing into late July of 2017, Equifax, a consumer credit agency housing the data of more than 820 million consumers and over 91 million businesses worldwide, was under attack.

On July 29 the Equifax in-house security team discovered and blocked the assault, and then took the website offline the following day after observing additional questionable activity. A followup investigation determined that hackers gained access to Equifax’s archives through a known security flaw in its database framework.

On August 2, 2017, Equifax hired Mandiant, an independent cybersecurity firm, to investigate the breach. The inquiry concluded that the hack may have involved the theft of personal data including credit card, social security and, in some cases, drivers’ license numbers, birth dates, and addresses of about 143 million U.S. consumers – roughly 60 percent of American adults.

On September 7, 2017, as a result of the attack and its aftermath, Equifax publicly acknowledged the breach and took steps to provide consumers with information and assistance to find out if their personal data had been compromised. This included:

Creating a website specifically for consumers to find out if they had been impacted, to learn more information about the hack, what they might be able to do about it, and what they can do to protect themselves from potential future cyberattacks.

Offering free credit file monitoring and identity theft protection to U.S. consumers whether they were affected by the attack or not.

Establishing a call center to answer consumer questions concerning the breach and to encourage consumers to sign up for the company’s monitoring and theft protection service.

On September 12, Equifax announced both its chief information officer and chief security officer would retire, effective immediately. Its chief executive office stepped down on September 26, but is scheduled appearance to testify before Congress in early October.

In the end, the safest conclusion is to assume your personal information was compromised in some way, even if there’s been no suspicious activity connected to your own banking accounts or credit, so far.